Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Translation workflow security mitigation 2 #111

Open
wants to merge 13 commits into
base: master-workflow
Choose a base branch
from
28 changes: 18 additions & 10 deletions .github/workflows/translation-delete.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,18 +5,29 @@ on:
workflows: ["Pre-delete Translation"]
types:
- completed


env:
BRANCH: github.event.workflow_run.head_branch
CLEAN_BRANCH: "${BRANCH//[^[:alnum:]-_]/}"
jobs:
delete-translation:
if: startsWith(github.event.workflow_run.head_branch, 'translation') || startsWith(github.event.workflow_run.head_branch, 'stp')
if: |
(startsWith(github.event.workflow_run.head_branch, 'translation') || startsWith(github.event.workflow_run.head_branch, 'stp')) &&
!contains(github.event.workflow_run.head_branch, '!') &&
!contains(github.event.workflow_run.head_branch, '@') &&
!contains(github.event.workflow_run.head_branch, '#') &&
!contains(github.event.workflow_run.head_branch, '$') &&
!contains(github.event.workflow_run.head_branch, '%') &&
!contains(github.event.workflow_run.head_branch, '^') &&
!contains(github.event.workflow_run.head_branch, '&') &&
!contains(github.event.workflow_run.head_branch, '*') &&
!contains(github.event.workflow_run.head_branch, '(') &&
!contains(github.event.workflow_run.head_branch, ')')
runs-on: ubuntu-latest
steps:
- name: 'Branch [${{ github.event.workflow_run.head_branch }}]'
run: |
BRANCH='${{ github.event.workflow_run.head_branch }}'
CLEAN_BRANCH="${BRANCH//[^[:alnum:]-_]/}"

echo 'Deleting Translation Branch $CLEAN_BRANCH'
echo 'Deleting Translation Branch ${{ github.event.workflow_run.head_branch }}'
- name: Checkout 🛎️
uses: actions/[email protected]
with:
Expand All @@ -31,9 +42,6 @@ jobs:
run: npm i -g @crowdin/cli
- name: Delete Branch [${{ github.event.workflow_run.head_branch }}] 🗑️
run: |
BRANCH='${{ github.event.workflow_run.head_branch }}'
CLEAN_BRANCH="${BRANCH//[^[:alnum:]-_]/}"

crowdin branch delete $CLEAN_BRANCH -T ${{ secrets.CROWDIN_API_KEY }}
crowdin branch delete ${{ github.event.workflow_run.head_branch }} -T ${{ secrets.CROWDIN_API_KEY }}


13 changes: 12 additions & 1 deletion .github/workflows/translation-pre-delete.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,18 @@ on:
jobs:
check-translation-branch:
runs-on: ubuntu-latest
if: startsWith(github.head_ref, 'translation') || startsWith(github.head_ref, 'stp')
if: |
(startsWith(github.head_ref, 'translation') || startsWith(github.head_ref, 'stp')) &&
!contains(github.head_ref, '!') &&
!contains(github.head_ref, '@') &&
!contains(github.head_ref, '#') &&
!contains(github.head_ref, '$') &&
!contains(github.head_ref, '%') &&
!contains(github.head_ref, '^') &&
!contains(github.head_ref, '&') &&
!contains(github.head_ref, '*') &&
!contains(github.head_ref, '(') &&
!contains(github.head_ref, ')')
steps:
- name: Branch Check 🔍
run: |
Expand Down
22 changes: 16 additions & 6 deletions .github/workflows/translation-pre-push.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,17 +5,27 @@ on:
types: [opened, reopened, synchronize]
branches:
- 'master*'

env:
BRANCH: ${{ github.head_ref }}
jobs:
check-translation-branch:
runs-on: ubuntu-latest
if: startsWith(github.head_ref, 'translation') || startsWith(github.head_ref, 'stp')
if: |
(startsWith(github.head_ref, 'translation') || startsWith(github.head_ref, 'stp')) &&
!contains(github.head_ref, '!') &&
!contains(github.head_ref, '@') &&
!contains(github.head_ref, '#') &&
!contains(github.head_ref, '$') &&
!contains(github.head_ref, '%') &&
!contains(github.head_ref, '^') &&
!contains(github.head_ref, '&') &&
!contains(github.head_ref, '*') &&
!contains(github.head_ref, '(') &&
!contains(github.head_ref, ')')
steps:
- name: Branch Check 🔍
run: |
BRANCH='${{ github.head_ref }}'
CLEAN_BRANCH="${BRANCH//[^[:alnum:]-_]/}"

echo "$CLEAN_BRANCH is valid branch for translation workflow"
CLEAN_BRANCH="${BRANCH//[^[:alnum:]-_]/}"
echo "$CLEAN_BRANCH is a valid branch for translation workflow"


27 changes: 16 additions & 11 deletions .github/workflows/translation-push.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,15 +8,26 @@ on:

jobs:
push-translation:
if: startsWith(github.event.workflow_run.head_branch, 'translation') || startsWith(github.event.workflow_run.head_branch, 'stp')
if: |
(startsWith(github.event.workflow_run.head_branch, 'translation') || startsWith(github.event.workflow_run.head_branch, 'stp')) &&
!contains(github.event.workflow_run.head_branch, '!') &&
!contains(github.event.workflow_run.head_branch, '@') &&
!contains(github.event.workflow_run.head_branch, '#') &&
!contains(github.event.workflow_run.head_branch, '$') &&
!contains(github.event.workflow_run.head_branch, '%') &&
!contains(github.event.workflow_run.head_branch, '^') &&
!contains(github.event.workflow_run.head_branch, '&') &&
!contains(github.event.workflow_run.head_branch, '*') &&
!contains(github.event.workflow_run.head_branch, '(') &&
!contains(github.event.workflow_run.head_branch, ')')
runs-on: ubuntu-latest
steps:
- name: 'Source: [${{github.event.workflow_run.head_repository.full_name}}/${{ github.event.workflow_run.head_branch }}]'
run: |
BRANCH='${{ github.event.workflow_run.head_branch }}'
CLEAN_BRANCH="${BRANCH//[^[:alnum:]-_]/}"

echo 'Pushing strings and translations from ${{github.event.workflow_run.head_repository.full_name}}/$CLEAN_BRANCH'
echo 'Pushing strings and translations from ${{github.event.workflow_run.head_repository.full_name}}/${{ github.event.workflow_run.head_branch }}'
- name: Checkout 🛎️
uses: actions/[email protected]
with:
Expand All @@ -32,10 +43,7 @@ jobs:
- name: Download New Translations ⬇️
if: github.event.workflow_run.head_commit.message == 'auto-pull-translation'
run: |
BRANCH='${{ github.event.workflow_run.head_branch }}'
CLEAN_BRANCH="${BRANCH//[^[:alnum:]-_]/}"

crowdin download -b $CLEAN_BRANCH -T ${{ secrets.CROWDIN_API_KEY }} && crowdin download -b $CLEAN_BRANCH -l zh-CN -T ${{ secrets.CROWDIN_API_KEY }}
crowdin download -b ${{ github.event.workflow_run.head_branch }} -T ${{ secrets.CROWDIN_API_KEY }} && crowdin download -b ${{ github.event.workflow_run.head_branch }} -l zh-CN -T ${{ secrets.CROWDIN_API_KEY }}
if git diff --exit-code; then
echo "No new translation data to commit"
else
Expand All @@ -45,14 +53,11 @@ jobs:
git config --global user.email "[email protected]"
git add -u
git commit -m "translation: 📚 sync translations from crowdin feature branch"
git push origin $CLEAN_BRANCH
git push origin ${{ github.event.workflow_run.head_branch }}
fi
- name: Pushing Strings & Translations ⬆️
run: |
BRANCH='${{ github.event.workflow_run.head_branch }}'
CLEAN_BRANCH="${BRANCH//[^[:alnum:]-_]/}"

crowdin upload sources -b $CLEAN_BRANCH -T ${{ secrets.CROWDIN_API_KEY }}; crowdin upload translations -b $CLEAN_BRANCH -T ${{ secrets.CROWDIN_API_KEY }}
crowdin upload sources -b ${{ github.event.workflow_run.head_branch }} -T ${{ secrets.CROWDIN_API_KEY }}; crowdin upload translations -b ${{ github.event.workflow_run.head_branch }} -T ${{ secrets.CROWDIN_API_KEY }}
- name: Slack Notification 📣
uses: 8398a7/action-slack@v3
with:
Expand Down